v4 changes from v3:
Tabs are clickable. Switch between Controls, Evidence, Intake, Maturity, Activity, Share to see what's in each.
Multi-select + bulk actions. Checkboxes on rows. Selecting any reveals a bulk action toolbar.
Draft state visible. Controls being edited show a "Draft · last edit 2h ago" pill alongside Reviewed/Not reviewed.
Click row → peek. Click any control row to open the detail peek. × closes it.
Approaches section below. For each of the 5 high-impact gaps from v3, several approaches are mocked with annotations + costs. Read down to compare.
Verdict colors: Recommended Trade-off Edge case Blocker
⌘S
Control+S /
GW
Project RBC

RBC ISO 27001 · Q1 2026 In review

Scope: 📍 Toronto DC ☁️ AWS production 👥 Corporate IT
12 / 147 reviewed · 3 draft · 47 evidence · due Jun 30
View:
|
🔐 ISO 27001:2022 147 controls · 12 reviewed · 3 draft
5. Organizational (37)
A.5.1 Policies for information security 3/5 AI Draft · 2h ago High 5 ev Toronto DC
A.5.2 Information security roles and responsibilities 4/5 human Reviewed High 3 ev All scopes
A.5.3 Segregation of duties 2/5 AI Not reviewed Med 2 ev Corp IT
A.5.4 Management responsibilities 3/5 AI Draft · 1d ago High 2 ev All scopes
8. Technological (34)
A.8.1 User endpoint devices 3/5 AI Not reviewed High 8 ev Corp IT
📎
Drop files here, paste a URL, or connect a folder
PDF · DOCX · XLSX · PNG · CSV · ZIP · or paste a SharePoint / Drive link
📄
document
Information_Security_Policy_v3.2.pdf
Maps to 7 controls · 2 frameworks
Captured Apr 12 · CISO@RBC
🖼
screenshot
Firewall config Palo Alto.png
Maps to 4 controls · 1 framework
Captured Apr 15
📊
configuration
asset_inventory_2026Q1.csv
Maps to 12 controls · 2 frameworks
Captured Apr 18
✍️
observation
CISO confirmed annual review
Maps to 2 controls
Apr 22 · G. Wang · human
12 evidence requests outstanding
Generated 2026-04-12 · ranked by control coverage
High
Information security policy document (current version)
Example: PDF or signed Word doc, dated, with version history
Covers 8 controls across ISO 27001 + SOC 2 · Likely fulfilled by Information_Security_Policy_v3.2.pdf
High
Annual policy review log (last 2 years)
Example: Excel sheet or governance committee minutes
Covers 4 controls · No matching evidence yet
Med
Asset inventory (servers, endpoints, cloud)
Example: CSV with hostname, owner, OS, location
Covers 6 controls · Likely fulfilled by asset_inventory_2026Q1.csv

Maturity radar (project)

Aggregate posture across all frameworks in scope.

[Radar chart — 8 axes, current vs target]
Current avg: 2.7 · Target: 3.5 · Trend: ↑ +0.3 since 2025

Year-over-year

Comparison vs RBC ISO 27001 · 2025.

Avg maturity 2.4 → 2.7 ↑ +0.3
Controls reviewed 132 / 147 +18
Gaps closed 14 ↓ from 28
New gaps 3 cloud migration
George W. drafted rationale on A.5.1 2h ago
AI agent generated 3 mappings for new evidence asset_inventory_2026Q1.csv 4h ago
Anouar M. commented on A.5.1 1d ago
"Score feels low. Suggest unmapping the CSV…"
George W. uploaded Firewall config Palo Alto.png 4d ago
📄
Generate PDF report
Static deliverable. Pick template.
🔗
Auditor link
Share-only link with locked Reviewer role.
📊
Client dashboard
Live posture view. Updates as you work.

Active links (3)

Auditor preview · Sarah K.
Reviewer role · expires May 30 · last opened 2d ago
Client dashboard · RBC GRC team
Client role · 4 viewers · live

Approaches for the high-impact gaps

Each gap from v3's reality check, with several candidate approaches. Each approach is annotated with what it does and the cost. Recommended ones are tagged Recommended; competing options are Trade-off; some are Edge case only.

Gap 1

Scope UI heterogeneity across frameworks

v3 used scope chips. But ISO 27001 wants a paragraph (Statement of Applicability), CPCSC wants Implementation Level + asset boundary, FedRAMP wants authorization boundary diagrams, SOC 2 wants services + period. One UI doesn't fit.

A

Free-text Statement of Applicability

Single rich-text field on the project. Markdown supported. Matches ISO 27001's actual deliverable shape.

Cost: Unstructured = unsearchable. Can't filter controls by scope element. Doesn't scale to multi-scope frameworks.
Edge case Good for ISO-only single-site engagements.
B

Per-framework native scope forms

Each framework declares its own scope schema. ISO gets SoA + asset list. CPCSC gets Level + boundary. FedRAMP gets boundary + diagram upload. Project header surfaces a normalized summary.

Cost: Significant per-framework engineering. Schema work scales with framework count. Risk of inconsistent UX between frameworks.
Recommended The honest answer. Same shape as the per-framework view sub-tabs.
C

Hybrid: structured tags + narrative

Required structured fields (asset names, locations, business units as tags). Optional free-text SoA narrative. Filters work on tags; narrative accompanies the report.

Cost: Forces every framework into the structured tag model even when it doesn't fit. ISO consultants have to re-key the SoA into tags.
Trade-off Pragmatic compromise; loses some framework fidelity.
D

Reference document + tags

Scope = pointer to client's existing scope doc (SoA, ATO, etc.) attached as evidence + a small tag list for filtering. We don't author scope; we reference theirs.

Cost: Doesn't capture the scope as data. AI can't reason about scope changes. Defers all scope intelligence to the client doc.
Edge case Useful early; weak as the long-term model.
Gap 2

Bulk operations on controls

Real consultants need to mark 30 controls "not applicable" at once, re-score 20 because the AI mis-mapped, add a comment to all controls in section 5. v3 was row-by-row.

A

Multi-select checkboxes (Airtable/Linear)

Checkbox per row. Group-level "select all" checkbox. Selection reveals a top toolbar with bulk actions: Mark reviewed, Mark N/A, Reassign scope, Re-run AI, Add comment.

Cost: Power-user pattern; novice users may miss it. Adds visual weight (checkboxes always visible).
Recommended Standard for table-shaped products. Already shown in v4 above ↑
B

Filter-then-bulk

Apply filters first (e.g., "Section: 5, Status: Not started"), then "Apply to all 32 results" button. No multi-select state to maintain.

Cost: Can't bulk-act on arbitrary subsets. Filters that exclude rows you wanted force re-filtering.
Trade-off Cleaner visually; less flexible.
C

Command palette (⌘K)

"Mark selected as N/A" via ⌘K. Selection happens via shift-click. Keyboard-first.

Cost: Discovery curve. New users won't find it. Best as a power-user shortcut alongside checkboxes, not instead.
Trade-off Use additively, not as the primary path.
D

Right-click context menu

Familiar from spreadsheets. Select rows, right-click → bulk action menu.

Cost: Doesn't work on touch. Doesn't surface what's available without exploration.
Edge case Nice-to-have alongside checkboxes.
Gap 3

Draft state for in-progress review

Real review is iterative: open a control, write rationale, get pulled into a meeting, come back later. v3 only had Reviewed / Not reviewed. Need a state for "I'm working on this."

A

Auto-save with explicit "Mark reviewed"

Rationale text auto-saves on every keystroke. Status flows: Not started → (any edit) → Draft → (Mark reviewed) → Reviewed. Draft state shows last-edit timestamp.

Cost: "Draft" can stagnate forever. Need stale-draft prompts (e.g., "10 controls in draft >7d — review or unstage?").
Recommended Already shown in v4 above ↑ (Draft pill on row, banner in peek).
B

Three-state machine

Explicit Not started · In progress · Reviewed. User actively transitions states (no implicit auto-state-change).

Cost: Extra clicks. User has to remember to mark "in progress" — and they won't. Implicit (A) reads minds better.
Trade-off Clear semantics, friction cost.
C

Sessions: open = locked

Opening a control acquires a soft lock. Other reviewers see "George is editing." Closing releases. Draft is implicit while open.

Cost: Stale locks (browser crash, abandoned tab). Lock contention with multi-reviewer teams.
Edge case Useful for collaboration UX, not as the draft model.
D

Snapshot every save

Every edit creates a versioned snapshot. "Reviewed" is the snapshot you mark canonical. History always available.

Cost: Storage growth. UI complexity (which snapshot?). Over-engineered for typical use.
Edge case Right for high-stakes legal/audit, overkill for daily review.
Gap 4

Year-over-year continuity

RBC ISO 27001 is annual. Year 2 wants continuity: what changed, which gaps closed, score trajectory. v3's flat-project-list implies fresh starts each year.

A

"Engagement Series" container above Project

Customer → Engagement Series ("RBC ISO 27001 ongoing") → Project ("2025 cycle", "2026 cycle"). Series carries persistent state; Project is the bounded run.

Cost: Re-introduces a hierarchy level we just collapsed. Adds complexity for one-off engagements that don't need it.
Trade-off Clean for recurring; heavy for one-offs.
B

"Continued from" pointer + roll-forward template

Project has an optional "continues from prior project" reference. Creating year-2 from year-1 copies scope, frameworks, evidence library. Sidebar shows "↶ View 2025" link (already in v4 ↑).

Cost: Continuity is project-pair-shaped, not series-shaped. "Show me 5 years of trend" requires walking the chain.
Recommended Lightweight; preserves Project as the unit. Walk pointers when needed.
C

Annual snapshots, no new project

"RBC ISO 27001" is one project that never closes. Each year it generates an annual report snapshot. Time-series live in the project.

Cost: Doesn't match how billable engagements work. Each year is a contract, billed and scoped separately. Snapshot model loses the per-year deliverable boundary.
Edge case Right for the continuous-monitoring product; wrong for consultant work.
D

Customer-level history view

Add a Customer page (separate from project list) that shows all engagements over time, trend lines, gap closure rates. Not a nav level — a separate view.

Cost: Reintroduces Customer-as-place softly. May confuse the org-as-metadata story.
Trade-off Combine with B for the best of both.
Gap 5

Report generation as multi-step workflow

v3's "Generate report" was one-click. Reality: pick type → pick frameworks → pick audience → pick template → generate draft → edit (heavily) → share. Need a builder, not a button.

A

Modal wizard

"Generate report" button → multi-step modal: Type → Frameworks → Audience → Format → Generate.

Cost: Each modal step feels disposable. No persistent workspace. Can't easily save partial config.
Trade-off Familiar pattern; loses craft of a real report builder.
B

Always-live draft report (Notion-style page)

A "Report" tab is one persistent draft document, structured by template. Sections fill from project data live (controls table, gaps, etc.). Consultant edits prose around it. "Generate" = freeze + export.

Cost: Heavy upfront engineering (live-data document). Only one report shape per project unless you allow multiple drafts.
Recommended Matches the Notion analogy. Report becomes a living artifact, not a one-shot.
C

Quick-export presets + custom builder

Top-bar dropdown: "Quick PDF · Gap Analysis · Maturity Summary · Open builder". Presets generate immediately; builder for custom.

Cost: Quick exports may produce unsuitable defaults. Easy to send a wrong-shape report by accident.
Trade-off Speed vs control.
D

Export to Word/Google Docs

Don't build a report editor. Export a structured DOCX/Google Doc, let the consultant edit in their tool of choice.

Cost: The product is no longer the system of record for the deliverable. Consultant edits live outside; changes don't flow back.
Edge case Useful as an "export option" alongside B; weak as the only path.
Gap 6

Bulk evidence ingestion

v3 had a single upload button. Real ingestion is folder-shaped.

  • A · Multi-file drop zone (shipped in v4 Evidence tab) — recommended.
  • B · SharePoint / Drive folder sync — recommended for enterprise; needs auth integration.
  • C · Email-to-evidence — clever; addressing & spam mitigation needed.
  • D · ZIP archive upload — fallback for offline transfer.
Ship A. Add B/C in order of customer demand.
Gap 7

Per-row scope badge — keep or drop?

v3 invented per-row scope. May not match how scope actually applies.

  • A · Drop entirely — controls inherit project scope; simpler.
  • B · Show only when overridden (rare cases) — recommended.
  • C · Keep as filter, drop from row — middle ground.
Validate with an actual scoping case (CPCSC) before deciding.
Gap 8

Empty / day-zero states

v3 only showed "deep into work." Day 1, Day 5, Day 30, Day 45 each have different needs.

  • A · Onboarding wizard — heavy; only on first project.
  • B · Stage-aware empty states — UI changes by project stage; recommended.
  • C · Setup checklist as the empty UI — the empty state IS the work.
Combine B + C: stage-aware UI that shows the next-step checklist when relevant.

What v4 ships in this mockup vs. what's still on paper

Shipped in this mockup ↑
  • Tab-switching navigation across the 6 project tabs (click them — they work).
  • Multi-select checkboxes + bulk-action toolbar.
  • Draft state on rows + draft banner in peek.
  • "Continued from 2025" pointer in sidebar (Gap 4 / Approach B).
  • Multi-file drop zone in Evidence tab (Gap 6 / Approach A).
  • Year-over-year comparison block in Maturity tab (Gap 4 / Approach D).
  • Click control row → peek opens. × closes.
On paper only (annotated above ↑)
  • Per-framework scope forms (Gap 1 / Approach B).
  • Three-state vs auto-save draft model (Gap 3 — committed to A).
  • Engagement Series vs Continued-from (Gap 4 — committed to B).
  • Live report document tab (Gap 5 / Approach B — only the Share tab is mocked).
  • Stale-draft prompts and lock semantics.
  • Day-zero / setup-checklist empty state (Gap 8).

Files: index.html v1 · index-v2.html v2 · index-v3.html v3 · index-v4.html v4 (this — interactive + approaches).